From ca24a9fa6f3431d3de3c2603bd07db0183141730 Mon Sep 17 00:00:00 2001 From: Shimana P Date: Wed, 24 Jul 2024 12:55:49 +0530 Subject: [PATCH 1/4] dsp: q6voice: Add buf size check for cvp cal data Check for the max size of cvp command register calibration data that can be copied to avoid buffer overflow. Change-Id: I41793bef75095ef06d7dda171bd2eba158422cc9 Signed-off-by: Shimana P --- dsp/q6voice.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/dsp/q6voice.c b/dsp/q6voice.c index c3da1f74e543..f47cdd845105 100644 --- a/dsp/q6voice.c +++ b/dsp/q6voice.c @@ -3221,6 +3221,13 @@ static int voice_send_cvp_register_cal_cmd(struct voice_data *v) voc_get_session_name(v->session_id), v->dev_tx.dev_id, v->dev_rx.dev_id); + if (col_data->cal_data.size >= MAX_COL_INFO_SIZE) { + pr_err("%s: Invalid cal data size %d!\n", + __func__, col_data->cal_data.size); + ret = -EINVAL; + goto unlock; + } + memcpy(&cvp_reg_cal_cmd.cvp_cal_data.column_info[0], (void *) &((struct audio_cal_info_voc_col *) col_data->cal_info)->data, @@ -3381,6 +3388,13 @@ static int voice_send_cvp_register_vol_cal_cmd(struct voice_data *v) goto unlock; } + if (col_data->cal_data.size >= MAX_COL_INFO_SIZE) { + pr_err("%s: Invalid cal data size %d!\n", + __func__, col_data->cal_data.size); + ret = -EINVAL; + goto unlock; + } + memcpy(&cvp_reg_vol_cal_cmd.cvp_vol_cal_data.column_info[0], (void *) &((struct audio_cal_info_voc_col *) col_data->cal_info)->data, From 09f3cb7f71e53156f307137bcaf03affd4586ab1 Mon Sep 17 00:00:00 2001 From: Nageshwar Reddy Goli Date: Tue, 27 Aug 2024 14:05:25 +0530 Subject: [PATCH 2/4] dsp: q6voice: Changing data type from %d to %ld "col_data->cal_data.size" is of long unsigned int type so in pr_err change data type of col_data->cal_data.size to %ld from %d. Change-Id: I462db4c704e9842ad3523a2ac8ef8a9f9372047f Signed-off-by: Nageshwar Reddy Goli --- dsp/q6voice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dsp/q6voice.c b/dsp/q6voice.c index f47cdd845105..9022251481a9 100644 --- a/dsp/q6voice.c +++ b/dsp/q6voice.c @@ -3222,7 +3222,7 @@ static int voice_send_cvp_register_cal_cmd(struct voice_data *v) v->dev_rx.dev_id); if (col_data->cal_data.size >= MAX_COL_INFO_SIZE) { - pr_err("%s: Invalid cal data size %d!\n", + pr_err("%s: Invalid cal data size %ld!\n", __func__, col_data->cal_data.size); ret = -EINVAL; goto unlock; @@ -3389,7 +3389,7 @@ static int voice_send_cvp_register_vol_cal_cmd(struct voice_data *v) } if (col_data->cal_data.size >= MAX_COL_INFO_SIZE) { - pr_err("%s: Invalid cal data size %d!\n", + pr_err("%s: Invalid cal data size %ld!\n", __func__, col_data->cal_data.size); ret = -EINVAL; goto unlock; From b12699f47e07b9258633d1da1ba095ea7da5f148 Mon Sep 17 00:00:00 2001 From: Abinath S Date: Fri, 9 Aug 2024 17:53:45 +0530 Subject: [PATCH 3/4] asoc: codec: avoid out of bound write to map array added check for port num and channel iteration are lessthan 8 to avoid out of bound write to 8x8 map array. Change-Id: I4c6fe13a5eb09be623a1c40ce16c5a5e4246e021 Signed-off-by: Abinath S --- asoc/codecs/rouleur/rouleur.c | 5 +++++ asoc/codecs/wcd937x/wcd937x.c | 6 +++++- asoc/codecs/wcd938x/wcd938x.c | 7 +++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/asoc/codecs/rouleur/rouleur.c b/asoc/codecs/rouleur/rouleur.c index 0a2cf8f9d9f9..9bcb6e89ad7b 100644 --- a/asoc/codecs/rouleur/rouleur.c +++ b/asoc/codecs/rouleur/rouleur.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -223,6 +224,10 @@ static int rouleur_parse_port_mapping(struct device *dev, for (i = 0; i < map_length; i++) { port_num = dt_array[NUM_SWRS_DT_PARAMS * i]; + if (port_num >= MAX_PORT || ch_iter >= MAX_CH_PER_PORT) { + dev_err(dev, "%s: Invalid port or channel number\n", __func__); + goto err_pdata_fail; + } slave_port_type = dt_array[NUM_SWRS_DT_PARAMS * i + 1]; ch_mask = dt_array[NUM_SWRS_DT_PARAMS * i + 2]; ch_rate = dt_array[NUM_SWRS_DT_PARAMS * i + 3]; diff --git a/asoc/codecs/wcd937x/wcd937x.c b/asoc/codecs/wcd937x/wcd937x.c index 7641146db392..75a2a57f05ec 100644 --- a/asoc/codecs/wcd937x/wcd937x.c +++ b/asoc/codecs/wcd937x/wcd937x.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023,2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -279,6 +279,10 @@ static int wcd937x_parse_port_mapping(struct device *dev, for (i = 0; i < map_length; i++) { port_num = dt_array[NUM_SWRS_DT_PARAMS * i]; + if (port_num >= MAX_PORT || ch_iter >= MAX_CH_PER_PORT) { + dev_err(dev, "%s: Invalid port or channel number\n", __func__); + goto err_pdata_fail; + } slave_port_type = dt_array[NUM_SWRS_DT_PARAMS * i + 1]; ch_mask = dt_array[NUM_SWRS_DT_PARAMS * i + 2]; ch_rate = dt_array[NUM_SWRS_DT_PARAMS * i + 3]; diff --git a/asoc/codecs/wcd938x/wcd938x.c b/asoc/codecs/wcd938x/wcd938x.c index 9207bbd20319..16b1df33e7c4 100644 --- a/asoc/codecs/wcd938x/wcd938x.c +++ b/asoc/codecs/wcd938x/wcd938x.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -377,6 +378,12 @@ static int wcd938x_parse_port_mapping(struct device *dev, for (i = 0; i < map_length; i++) { port_num = dt_array[NUM_SWRS_DT_PARAMS * i]; + + if (port_num >= MAX_PORT || ch_iter >= MAX_CH_PER_PORT) { + dev_err(dev, "%s: Invalid port or channel number\n", __func__); + goto err_pdata_fail; + } + slave_port_type = dt_array[NUM_SWRS_DT_PARAMS * i + 1]; ch_mask = dt_array[NUM_SWRS_DT_PARAMS * i + 2]; ch_rate = dt_array[NUM_SWRS_DT_PARAMS * i + 3]; From 293b729bf39eb1acb9bfff1cca518be94569b5fe Mon Sep 17 00:00:00 2001 From: Abinath S Date: Fri, 9 Aug 2024 17:53:45 +0530 Subject: [PATCH 4/4] asoc: codec: avoid out of bound write to map array added check for port num and channel iteration are lessthan 8 to avoid out of bound write to 8x8 map array. Change-Id: I4c6fe13a5eb09be623a1c40ce16c5a5e4246e021 Signed-off-by: Abinath S (cherry picked from commit b12699f47e07b9258633d1da1ba095ea7da5f148) --- asoc/codecs/rouleur/rouleur.c | 5 +++++ asoc/codecs/wcd937x/wcd937x.c | 6 +++++- asoc/codecs/wcd938x/wcd938x.c | 7 +++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/asoc/codecs/rouleur/rouleur.c b/asoc/codecs/rouleur/rouleur.c index 0a2cf8f9d9f9..9bcb6e89ad7b 100644 --- a/asoc/codecs/rouleur/rouleur.c +++ b/asoc/codecs/rouleur/rouleur.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -223,6 +224,10 @@ static int rouleur_parse_port_mapping(struct device *dev, for (i = 0; i < map_length; i++) { port_num = dt_array[NUM_SWRS_DT_PARAMS * i]; + if (port_num >= MAX_PORT || ch_iter >= MAX_CH_PER_PORT) { + dev_err(dev, "%s: Invalid port or channel number\n", __func__); + goto err_pdata_fail; + } slave_port_type = dt_array[NUM_SWRS_DT_PARAMS * i + 1]; ch_mask = dt_array[NUM_SWRS_DT_PARAMS * i + 2]; ch_rate = dt_array[NUM_SWRS_DT_PARAMS * i + 3]; diff --git a/asoc/codecs/wcd937x/wcd937x.c b/asoc/codecs/wcd937x/wcd937x.c index 7641146db392..75a2a57f05ec 100644 --- a/asoc/codecs/wcd937x/wcd937x.c +++ b/asoc/codecs/wcd937x/wcd937x.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023,2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -279,6 +279,10 @@ static int wcd937x_parse_port_mapping(struct device *dev, for (i = 0; i < map_length; i++) { port_num = dt_array[NUM_SWRS_DT_PARAMS * i]; + if (port_num >= MAX_PORT || ch_iter >= MAX_CH_PER_PORT) { + dev_err(dev, "%s: Invalid port or channel number\n", __func__); + goto err_pdata_fail; + } slave_port_type = dt_array[NUM_SWRS_DT_PARAMS * i + 1]; ch_mask = dt_array[NUM_SWRS_DT_PARAMS * i + 2]; ch_rate = dt_array[NUM_SWRS_DT_PARAMS * i + 3]; diff --git a/asoc/codecs/wcd938x/wcd938x.c b/asoc/codecs/wcd938x/wcd938x.c index 9207bbd20319..16b1df33e7c4 100644 --- a/asoc/codecs/wcd938x/wcd938x.c +++ b/asoc/codecs/wcd938x/wcd938x.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -377,6 +378,12 @@ static int wcd938x_parse_port_mapping(struct device *dev, for (i = 0; i < map_length; i++) { port_num = dt_array[NUM_SWRS_DT_PARAMS * i]; + + if (port_num >= MAX_PORT || ch_iter >= MAX_CH_PER_PORT) { + dev_err(dev, "%s: Invalid port or channel number\n", __func__); + goto err_pdata_fail; + } + slave_port_type = dt_array[NUM_SWRS_DT_PARAMS * i + 1]; ch_mask = dt_array[NUM_SWRS_DT_PARAMS * i + 2]; ch_rate = dt_array[NUM_SWRS_DT_PARAMS * i + 3];